We have set-up our HR dept. with Contribute to manage their Intranet content.

In doing so, I created a security group on the server and applied it to the
/HR folder with CHANGE access. They also have READ access at the site level
and down...

Why is it, then can modify other pages outside of the HR folder? They can
modify the main site pages, the /finance area pages, etc.

Any idea?

I didn't think this was possible, as they only had CHANGE access at the /HR